Setting auth scope based on a returned type

[nickabate]

Hello, this is a related two part issue regarding error data on auth scoped queries, and returning query data based on individual return type values for a group of items.

In the absence of setting auth scope based on the return value of a field, I have implemented using a check on a return type as recommended per documentation. For more context of our situation, we are aiming to restrict access to a returned product depending on if a specified attribute value is present. If a user is not authorized to view the product, we will return null. Otherwise, they can view the data and specified fields per their query.

First issue: while we have successfully returned null on an entire query result by setting runScopesOnType to true on the underlying type, I cannot find a way to disable the error being sent as well. We were hoping to return only the data property (with null return for the specific query) and cannot find a way to turn off the error return per documentation, but only how to customize it.

Second issue: when searching for a group of items, if the query includes one restricted item with additional non-restricted items, the entire query returns null and also throws the error. We were hoping to return null for the restricted item only, while returning the appropriate data for the remainder of the query and bypass any error. This object reference uses the same underlying type for returning one product which the auth scope has been set on, which is working as mentioned above.

Apologies for any oversight on my end with regards to available documentation. Thank you!

[hayes]

First issue: while we have successfully returned null on an entire query result by setting runScopesOnType to true on the underlying type, I cannot find a way to disable the error being sent as well. We were hoping to return only the data property (with null return for the specific query) and cannot find a way to turn off the error return per documentation, but only how to customize it.

This one is hard to work around. runScopesOnType run the auth checks in the isTypeOf check for a type. By that point in execution GraphQL already thinks that the value was resolved to a non-nul value, which can't be changed without an error. Pothos doesn't control the execution, and works almost entirely by wrapping resolvers and other functions (resolveType, isTypeOf) to add additional behavior.

Second issue: when searching for a group of items, if the query includes one restricted item with additional non-restricted items, the entire query returns null and also throws the error. We were hoping to return null for the restricted item only, while returning the appropriate data for the remainder of the query and bypass any error. This object reference uses the same underlying type for returning one product which the auth scope has been set on, which is working as mentioned above.

This should work the way you want if you make the list items nullable (nullable: { list: true, items: true }), but let me know if thats not working the way you expect.

I am open to adding a better way to have post-resolver auth checks to the plugin, but getting that API to work in a consistent/predictable way can be challenging. If you have a specific way you would like to define those types of auth checks, let me know, and I can try to see if it's possible, or at least explain the challenges/tradeoffs for why that might be hard to make work correclty

[nickabate]

Thanks for the feedback! I was able to partially resolve things with the nullable properties set. We'll reach out if anything else pops up or if we had any ideas with regards to the error handling.